From a security perspective, yesterday’s odd-year election went off without a hitch: Officials didn’t spot any major disruptions from hacking or disinformation campaigns.
But the fight to protect the 2020 contest is only ramping up. And officials were quck to warn that it will be a far juicier target for foreign actors.
“Our adversaries want to undermine our democratic institutions, influence public sentiment and affect government policies. Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process or influence voter perceptions,” officials including FBI Director Christopher Wray, Defense Secretary Mark Esper, NSA Director Gen. Paul Nakasone and DHS’s top cybersecurity official Chris Krebs warned in a joint statement.
They pledged that “the U.S. government will defend our democracy and maintain transparency with the American public about our efforts.”
Still, yesterday’s election was effectively the last significant chance to road test its latest security advances before next year’s big day. And the Department of Homeland Security’s cybersecurity division brought all its resources to bear on the swath of local, legislative and gubernatorial races.
That included a war room where officials from DHS, the FBI, state election leaders, political parties and tech and social media companies parsed digital threats to election systems and a virtual “situational awareness room” where they shared that information with about 200 state and local election officials across the country.
DHS also pulled in data from relatively new sensors attached to the networks of election administration offices in places holding major contests, which are designed to flag any abnormal activity. And state and local officials ran cybersecurity rapid response plans they’d developed since Russia’s 2016 election interference operation.
Counties in Pennsylvania, Georgia and Texas, meanwhile, piloted the new and more secure voting machines they purchased in the wake of 2016 with help from $380 million appropriated by Congress.
The display was a major demonstration of how far election security has come since 2016 when Russian hackers were able to probe election systems across the country and to compromise a handful of those systems – though there’s no evidence they changed any votes.
The threat won’t diminish after 2020 either, Krebs warned during a news conference with Pennsylvania’s acting secretary of state Kathy Boockvar.
“Today, 2019 Election Day is a milestone; 2020, the presidential, is a milestone and 2022 after that,” he said. “This is a race without a finish line. We will be in this mission as long as we’re in these jobs.”
DHS’s goal, Krebs said, “is to ensure that American elections are decided by Americans, free of foreign interference,”
Working together, we can ensure resilience in the system and that American voters decide American elections.
— Chris Krebs (@CISAKrebs) November 5, 2019
DHS first piloted most of its election security protections during the 2018 midterms, which also concluded without any major interference from adversaries. That’s when DHS first piloted the virtual threat sharing room that will now be a key part of protecting the 2020 contest.
Since 2018, DHS has gotten better at identifying whether a digital threat is specifically targeting an election or just part of the usual malicious web traffic that hits IT systems every day, an official told reporters during a press call.
DHS has also improved how it vets the threat information state and local officials share on Election Day to ensure it’s only forwarding the most useful information, the official said.
“We are at full operational readiness,” the official said. “We were successful in 2018 and we’ll continue to build out throughout 2020.”
PINGED, PATCHED, PWNED
PINGED: Sen. Ron Wyden (D-Ore.) wants Federal Communications Commission Chairman Ajit Pai to mandate that wireless carriers turn on advanced encryption protections when they upgrade to next-generation 5G wireless networks, according to a letter shared exclusively with The Cybersecurity 202.
“The FCC must act to ensure that encryption and authentication features included in 5G standards are enabled by AT&T, Verizon and T-Mobile as they upgrade their networks,” Wyden writes. So far none of the major U.S. wireless carriers have publicly committed to doing so, he notes.
The letter comes as Facebook and other tech companies are expanding encryption protections but the Justice Department is warning that could allow terrorists and criminals to communicate beyond law enforcement’s reach.
Wyden also wants to know whether the FCC agrees with Commerce Department recommendations that phone calls and text messages should be encrypted to prevent security breaches and whether the agency has taken steps to encourage wireless carriers to adopt the recommendations. He asks whether the agency believes it has the authority to mandate that carriers encrypt their data.
5G networks will vastly improve Internet speeds and power a new generation of Internet-connected devices such as autonomous vehicles. But the super-fast networks have also prompted concerns about increased opportunities for spying and hacking by China and other U.S. adversaries.
PATCHED: The Chinese telecom firm Huawei plans to recruit hackers to find vulnerabilities in its mobile phones in an effort to win the trust of foreign governments as it faces suspicions of spying for the Chinese government, Zack Whittaker at TechCrunch reports. The company will gather hackers in Munich later this month.
The move comes as the United States is pressuring allies to bar Huawei from their 5G networks and has blacklisted the company from its own 5G networks and government systems. Huawei disputes charges that it helps Beijing spy and has said it would refuse any spying requests.
Competitors such as Android use similar bug bounty programs, which reward hackers for telling companies about vulnerabilities in their software.
Germany, meanwhile, may still be considering a ban on Huawei equipment in its 5G networks, Reuters reports.
PWNED: Facebook will outline plans to expand advanced encryption protections to its entire Messenger platform today at a Lisbon tech conference, Joseph Menn at Reuters reports.
The social media company will also encourage more users to opt in to an end-to-end encryption system that is already available on its Messenger app but tough to find, Facebook messaging privacy chief Jay Sullivan tells Joseph. End-to-end encryption basically makes messages unreadable by anyone but the sender and recipient.
Facebook is continuing to push its encryption plans despite outcry from law enforcement agencies in the United States, United Kingdom and Australia that encryption could make it harder to catch child sex predators who communicate via the app.
The company is also considering additional features to enhance safety once the service is encrypted, including requiring Messenger accounts to be tied to Facebook profiles to reduce throwaway accounts used by criminals.
— Cybersecurity news from the public sector:
The massively popular social media app TikTok is struggling to assuage lawmakers’ concerns over its ties to the Chinese government and allegations that it is amassing data on U.S. users for Beijing.
— The United States needs nearly half a million more cybersecurity professionals to adequately defend U.S. organizations, according to the latest annual workforce study by (ISC)², a nonprofit organization that provides cybersecurity certifications. There’s a global shortage of about 4 million cybersecurity pros, up from just over 3 million last year, the organization found.
— More cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
Remember the Election Day hacking war game I wrote about yesterday? Things got pretty heated, as Axios’s Joe Uchill details, with hackers trying all sorts of scenarios from deepfakes to murder to derail the mock election.
Red team did this interesting sequence:
They intercepted phone transmissions near the voting machines.
Using the audio of voting supervisors, they used deep fake audio to phish voting officials to get them to reset voting machines with no paper backup
— Joe Uchill (@JoeUchill) November 5, 2019
Red Team just steered a bunch of autonomous vehicles into voting lines.
— Joe Uchill (@JoeUchill) November 5, 2019
In a previous Cybereason event I’d attended, there was a no murdering rule.
I suppose there’s no reason to assume someone trying to tamper with an election would show restraint.
— Joe Uchill (@JoeUchill) November 5, 2019
- The Senate Judiciary Committee will host a hearing on Reauthorizing the USA FREEDOM Act of 2015 on Wednesday at 2:30 p.m. Eastern time.
- The House Committee on Veterans Affairs will host a hearing on “Hijacking our Heroes: Exploiting Veterans through Disinformation on Social Media” on Wednesday November, 13 at 2 p.m. Eastern time.